The Apache Commons JEXL team is pleased to announce the release of
Apache Commons JEXL 3.7.0.

Apache Commons JEXL is a library that enables scripting features in
Java applications and frameworks.

This is a feature and maintenance release. Java 8 or later is required.

Compatibility with previous releases: Version 3.7.0 is source and
binary compatible with 3.6.x but changes the default runtime and
parse-time behavior (see below).

Behavior breaking change in 3.7.0

o The default permissions is now "SECURE": a minimum allow-list
covering only safe java.lang
  value types, java.math, and java.util. Everything else is denied
unless explicitly composed in.

o The default features disable new(...), global side-effects, pragmas,
and annotations, and enable
  lexical scoping; loops remain available to scripts (but never to
expressions). Scripts using a
  disabled construct will throw JexlException.Feature at parse time
with the default engine.

To restore the previous (3.6.x) defaults, load the bundled jexl.yaml
via JexlConfigLoader:

    try (InputStream in = getClass().getResourceAsStream("/jexl.yaml")) {
        JexlEngine engine = JexlConfigLoader.load(in).create();
    }

Use JexlPermissions.logging() to discover which reflective elements
the new algorithm denies.

Historical list of changes:
https://commons.apache.org/proper/commons-jexl/changes.html

For complete information on Apache Commons JEXL, including
instructions on how to submit bug reports, patches, or suggestions for
improvement, see the Apache Commons JEXL website:

https://commons.apache.org/proper/commons-jexl/

Download page: https://commons.apache.org/proper/commons-jexl/download_jexl.cgi

Gary Gregory
Apache Commons

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to